Windows 7 clients
Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? FR v2.1.10 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
Is this the INTERMEDIATE CA that GeoTrust sent along with the server cert? On 3/15/12 8:25 AM, Scott McLane Gardner sgar...@uark.edu wrote: Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? FR v2.1.10 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
Scott McLane Gardner wrote: Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? You need to put the root CA into the certs directory, so that FreeRADIUS knows it's allowed to issue client certs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
Okay, it is the INTERMEDIATE CA. Sorry for the noise. On 3/15/12 8:26 AM, Scott McLane Gardner sgar...@uark.edu wrote: Is this the INTERMEDIATE CA that GeoTrust sent along with the server cert? On 3/15/12 8:25 AM, Scott McLane Gardner sgar...@uark.edu wrote: Okay, I've finally got the server certificate sorted out, signed by GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? FR v2.1.10 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
Hi, Is this the INTERMEDIATE CA that GeoTrust sent along with the server cert? the server needs to be configured so that the certificate file entry points to a file that contains your server cert, any intermediaries and the root all in one file, in the right order concatenated after each other. the client is then fed that cert chain... if it has the root CA installed it should be happy - though some clients still complain. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
On Thu, Mar 15, 2012 at 01:51:19PM +, Alan Buxey wrote: Is this the INTERMEDIATE CA that GeoTrust sent along with the server cert? is then fed that cert chain... if it has the root CA installed it should be happy - though some clients still complain. When I (briefly) tested Windows 7 the other week, it needed the root and intermediate certificates installed. Windows didn't seem to want to accept the intermediate that was sent from the server, no matter what order the certs were. After installing the intermediate on the client, all was well. However, it was only a quick test, and I was actually doing something else, so it might not be correct. It just niggled me enough at the time to dig a bit deeper, and I put it down to the standard case of Windows being stupid, and moved on. I'd like to be proven incorrect. Thanks, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 clients
Hi, GeoTrust and installed, but now I have another certificate problem. I believe this one is that the client doesn't recognize my ca.pem as being signed by a trusted authority. Do I need to get another root cert signed by GeoTrust? If so, how do I go about doing that? FR v2.1.10 [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A this error is usually when the client is misconfigured in their trust settings why wouldnt your ca.pen file be trusted? does it not contain the whole cert chain (in the right order?) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html